Cloud security turns to identity, access & sovereignty
Docusign, BeyondTrust and Saviynt executives say identity, data sovereignty and basic access controls now sit at the centre of cloud security for organisations using large-scale cloud platforms.
The comments coincide with World Cloud Security Day, as vendors highlight cloud-related risks.
Across the sector, leaders are pointing to a shift from perimeter-focused defences to identity, access and trust in distributed environments. In their view, breaches increasingly stem from misconfigurations, excessive privileges and poorly governed digital identities rather than novel exploits.
Ed Knott, Vice President, Australia and New Zealand at Docusign, linked cloud security to trust in digital agreements.
"World Cloud Security Day is a reminder that at its heart, every agreement is an act of trust. That's why we weave security into every aspect of our organisation through a trust and security program, focusing on people, processes and the platform - and meeting national and international security standards and certifications," said Ed Knott, Vice President, Australia and New Zealand, Docusign.
Knott also highlighted the importance of data residency in Australia, where organisations face specific regulatory and sovereignty requirements. Docusign, he said, now stores and processes more categories of customer data onshore.
"In Australia, that also means data residency and sovereignty. Docusign has doubled down on its commitment to keeping local data stored and processed onshore by extending our local data centre from eSignature - to now support CLM and IAM. This helps organisations comply with privacy laws, regulations and industry standards," said Knott.
He pointed to independent certification as a way for organisations to assess providers rather than rely on assumptions about security.
"Security should also be demonstrated, not assumed. Continual leadership in defining best practices and rigorous scrutiny by independent third-party audits, such as IRAP certification should be standard. These assessments and validation of security controls, give organisations greater confidence by ensuring compliance with applicable laws," said Knott.
Knott described cloud infrastructure as a foundation for digital trust, alongside identity assurance and document protection.
"Cloud infrastructure is now the backbone of digital trust. Platforms like Docusign IAM enable secure document sharing, AI-powered workflows and robust storage capabilities, without losing sight of where data sits or who is responsible for it. With 69% of organisations observing a rise in identity fraud, having confidence in integrated, government-backed ID systems that customers already trust is no longer optional, it's the basis of every lasting relationship," said Knott.
Access control and identity risk in cloud environments also featured strongly in commentary from BeyondTrust executives, who argued that organisations still overlook basic identity hygiene as they expand their use of cloud services.
James Maude, Field Chief Technology Officer at BeyondTrust, said many cloud incidents trace back to routine access decisions rather than sophisticated attacks.
"World Cloud Security Day is a useful reminder to recognise how much cloud risk now comes down to everyday access decisions and overlooked misconfigurations. Many incidents don't involve sophisticated zero-day exploits. Instead, credentials, permissions, or tokens are misused in ways no one expected. In the cloud one compromised identity can lead to a breach at machine speed and hyperscale. This is why reducing standing privilege and tightening access isn't about slowing teams down, it's about limiting how far a mistake or compromise can spread. As cloud environments grow more complex, clarity over who (or what) can do what matters more than adding yet another security layer. Getting the basics of identity and access right still pays the biggest dividends," said James Maude, Field Chief Technology Officer, BeyondTrust.
BeyondTrust Chief Security Advisor Morey Haber said the move to cloud had shifted, rather than removed, core security risks. He described identity as the new control point for attackers.
"World Cloud Security Day is a reminder that the cloud did not eliminate risk. It restructured it and identity is now the control plane poised as the most significant attack vector that needs attention. Simple identity misconfigurations, excessive privileges, and faults in joiner, mover, and leaver processes are vulnerabilities hiding in plain sight. Unfortunately, organisations still treat cloud and identity security as a tooling problem. It is not. It is an authentication, authorisation, and remote access problem. Every workload, API, AI agent, and machine identity expands the attack surface and if you do not have visibility into operations, you cannot defend it. This requires intelligence and protection to analyse settings, determine faults, map paths to privileged access, and implement concepts like least privilege and just-in-time access. Solutions in the cloud are truly moving fast. Threat actors are moving faster, and your identity security strategy must be a priority or you will be left behind and vulnerable," said Morey Haber, Chief Security Advisor, BeyondTrust.
Haber's comments reflect broader concern among security specialists about the governance of non-human identities, including service accounts, machine identities and AI agents with automated access to sensitive systems.
Vijay Chaudhari, Principal Solutions Engineer APJ at Saviynt, said boards and executives should now treat cloud security as a business risk with direct financial and regulatory consequences.
"On this World Cloud Security Day, cloud security must be recognised as a core business priority, not just a technical function. As organisations accelerate cloud adoption, they are expanding their attack surface and introducing new risks across data, applications, and infrastructure. At the same time, cyber threats are becoming more sophisticated, and the impact of breaches continues to escalate across financial, regulatory, and reputational dimensions. This shift requires moving beyond fragmented, reactive controls toward a converged security approach in which identity serves as the central control plane, delivering consistent visibility, governance, and enforcement across the entire cloud environment, including strong privileged access management to control and monitor high-risk access," said Vijay Chaudhari, Principal Solutions Engineer APJ, Saviynt.
Chaudhari identified AI agents as an emerging blind spot, noting that they often operate with high levels of access and limited oversight.
"A key driver of this transformation is the rapid rise of AI agents. These non-human identities operate autonomously, often with elevated access and limited oversight, which creates a significant security gap. Without proper governance, they can become invisible entry points for attackers, enabling the misuse of privileges, lateral movement, and data exposure. Organisations must therefore treat AI agents as first-class identities, applying the same lifecycle management, ownership accountability, and least-privilege principles enforced for human users, while ensuring privileged access is tightly controlled through just-in-time access, session monitoring, and real-time policy enforcement," said Chaudhari.
He added that organisations need integrated identity governance spanning people, applications and infrastructure, with automation across the lifecycle of both human and machine accounts.
"Addressing this challenge requires an identity security approach designed for a converged platform that brings together governance, posture management, privileged access management, and real-time access enforcement. This includes discovering AI agents and machine identities, centralised visibility into access relationships, automated provisioning and deprovisioning, continuous certification, and risk-based access controls. By embedding these capabilities into a unified identity centric framework aligned with Zero Trust principles, organisations can scale innovation securely while maintaining control, reducing risk, and ensuring that both human and non-human identities are governed with the same level of precision and accountability," said Chaudhari.